So I managed to get this to work by changing hiera data slightly, replacing
the `lookup` function with `alias` so that the type wasn't automatically
converted to a string.
```
# this works! note the weird quoting is to avoid hiera treating fqdn dots
as sub-keys and is intentional.
profile::gitlab_runner::lookup_test: "%{alias(\"'vault_lookup::kv/data/host/
gitlab-runner-31.example.com/gitlab-ci>registration_token'\")}"
```
Unfortunately, this breaks down when I want to embed that key in a config
hash within hiera, like this:
```
gitlab_ci_runner::runners:
'instance':
config:
name: "Instance Runner on %{::hostname}"
registration-token: "%{alias(\"'vault_lookup::kv/data/host/
gitlab-runner-31.example.com/gitlab-ci>registration_token'\")}"
...
```
I'm guessing without some changes in Hiera/Puppet, this part may not be
possible? Anyone have experience with this?
On Fri, Oct 21, 2022 at 2:28 PM Aaron Russo <[email protected]> wrote:
> We're using the vault_lookup[1] module to retrieve secrets from Vault via
> mTLS. It works fairly well when grabbing secrets within a manifest.
>
> However it feels like an anti-pattern by forcing lookups into our
> manifests when we want to keep that in Hiera. I found a previous related
> thread[2] where Henrik suggested writing a custom backend for Hiera and
> return a Deferred.
>
> However after doing what I thought was the correct thing, and returning a
> Deferred in our custom backend, the value in the file ends up being the
> literal string 'Deferred ...' and not being evaluated. I even wrote a quick
> manifest to check if a Deferred is being returned by Hiera/APL and it does
> not seem to be the case -- Hiera is returning a String representation of it.
>
> So my question is -- is it possible to actually return a Deferred via a
> Hiera lookup_key backend and if so, what might I be doing wrong? Sanitized
> code / outputs / etc provided[3] for mocking.
>
> Versions:
> puppet: 7.20.0
> puppetserver: 7.8.0
> puppetlabs/stdlib: 8.30
>
> Thanks!
>
> Aaron
>
> [1] https://forge.puppet.com/modules/puppet/vault_lookup
> [2] https://groups.google.com/g/puppet-users/c/E-Q-ok-B0gQ/m/h-tYJFPdBwAJ
> [3] https://gist.github.com/arusso/9eed3cac93e02aa270b6811b560b2093
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/e5e12ede-e33f-440a-b13f-ccd221110f9dn%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/e5e12ede-e33f-440a-b13f-ccd221110f9dn%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
--
Aaron Russo (He/Him/His)
PIXAR | Network & Server Admins (NSA) | Senior Systems Engineer
[email protected]
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAA4bxV6NY%2BFoDk-sSZZ8Bv%3D4wuAVP%3DdeQ4Hbg1RnULQXAqCc-w%40mail.gmail.com.
